Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
15/05/2025, 20:50
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_04db9d44bbbebf41613d356574831640.exe
Resource
win10v2004-20250502-en
General
-
Target
JaffaCakes118_04db9d44bbbebf41613d356574831640.exe
-
Size
341KB
-
MD5
04db9d44bbbebf41613d356574831640
-
SHA1
7abae85103da773b963a8e29c5371726f07ed9f2
-
SHA256
e9925e6bec9f8e278ecdeee7318f2e34741570d56d99caa6668a0ce5438c6610
-
SHA512
708827b0dd75563b30a89cf5f4cc6befa564320367ba6b26867e83f0f759a15a22a6d07a52a6945d2e21a45acc536cba7c7ed2e7bf68ab9f70fa390b5ca44e1a
-
SSDEEP
6144:b3rQu1YseQypi1tSq1AwvtpQZsm/KszDxxwm6yfcZ27pb49DppA+ZwlcZUSN:b30Ye+1JUZsmjBxwCX7uq+UhS
Malware Config
Signatures
-
Imminent family
-
Executes dropped EXE 1 IoCs
pid Process 3944 skypehostnames.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\skype = "C:\\Users\\Admin\\AppData\\Roaming\\skypehost\\skypehostnames.exe" JaffaCakes118_04db9d44bbbebf41613d356574831640.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini JaffaCakes118_04db9d44bbbebf41613d356574831640.exe File opened for modification C:\Windows\assembly\Desktop.ini JaffaCakes118_04db9d44bbbebf41613d356574831640.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly JaffaCakes118_04db9d44bbbebf41613d356574831640.exe File created C:\Windows\assembly\Desktop.ini JaffaCakes118_04db9d44bbbebf41613d356574831640.exe File opened for modification C:\Windows\assembly\Desktop.ini JaffaCakes118_04db9d44bbbebf41613d356574831640.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_04db9d44bbbebf41613d356574831640.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language skypehostnames.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3352 JaffaCakes118_04db9d44bbbebf41613d356574831640.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3352 JaffaCakes118_04db9d44bbbebf41613d356574831640.exe Token: 33 3352 JaffaCakes118_04db9d44bbbebf41613d356574831640.exe Token: SeIncBasePriorityPrivilege 3352 JaffaCakes118_04db9d44bbbebf41613d356574831640.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3352 JaffaCakes118_04db9d44bbbebf41613d356574831640.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4888 wrote to memory of 3944 4888 cmd.exe 92 PID 4888 wrote to memory of 3944 4888 cmd.exe 92 PID 4888 wrote to memory of 3944 4888 cmd.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04db9d44bbbebf41613d356574831640.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_04db9d44bbbebf41613d356574831640.exe"1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Roaming\skypehost\skypehostnames.exe1⤵
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Users\Admin\AppData\Roaming\skypehost\skypehostnames.exeC:\Users\Admin\AppData\Roaming\skypehost\skypehostnames.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3944
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:4424
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
341KB
MD504db9d44bbbebf41613d356574831640
SHA17abae85103da773b963a8e29c5371726f07ed9f2
SHA256e9925e6bec9f8e278ecdeee7318f2e34741570d56d99caa6668a0ce5438c6610
SHA512708827b0dd75563b30a89cf5f4cc6befa564320367ba6b26867e83f0f759a15a22a6d07a52a6945d2e21a45acc536cba7c7ed2e7bf68ab9f70fa390b5ca44e1a